Patch js-yaml merge-key DoS (SNYK-JS-JSYAML-17900054)#1056
Conversation
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
In order to get good yaml squiggles, we use js-yaml is a bit of a weird way to build the annotated YAML parses that include source location information. I think this is safe, but I would probably test the YAML validation infra inside the extension just to make sure it's still good. |
|
Thanks, @cscheid! If you trace how the YAML validation actually runs, this bump doesn't touch the path makes these kinds of squiggles:
The squiggles (e.g. "potato" not being a valid The annotated-parse code you're probably thinking of lives in What this repo's js-yaml is actually used for is the extension's own front-matter and resource parsing, e.g. reading the shipped We are running the vscode |
|
I forgot that we still use that vendored JS blob for the VS code extension as well! (we have to do it in RStudio but I thought we had brought up that YAML code into the monorepo. Too. Many. Small. Differences! My apologies.) But that's good news here. |

Re-resolve the transitive js-yaml dependency to patched versions within each major line (4.3.0 for the
^4.1.0consumers, 3.15.0 for eslint's transitive^3.13.1), closing the quadratic-complexity merge-key DoS advisory (SNYK-JS-JSYAML-17900054 / CVE-2026-53550) across all dependency paths. The same bump also clears the related prototype-pollution-in-merge advisory (CVE-2025-64718, fixed in 3.14.2 and 4.1.1) on those same paths.This supersedes the Snyk PRs #1048, #1049, #1050, #1051, and #1054, each of which proposed bumping js-yaml to 4.3.0 in a single package.json (quarto-core, editor-server, lsp, vscode, and vscode-markdownit), and #1053, which proposed bumping eslint from 7 to 9 in quarto-ojs-runtime solely to drag its transitive js-yaml 3.x off the vulnerable version. The lockfile re-resolution fixes every path at once, including the transitive js-yaml 3.x pulled in by eslint, with no package.json changes and no eslint 9 flat-config migration. js-yaml's public API is unchanged across these patch/minor bumps (both the 3.x and 4.x lines keep the same
load/dumpAPI and the sameargparse/esprimadeps), so there is no behavior change.One dev-only copy of js-yaml 4.1.0 remains, pinned exactly by mocha 9's test runner; it is not reachable by lockfile re-resolution and only ever parses trusted local config, so it is left as-is.
This PR addresses part of #1052 but not all of that one; I think we'll handle that separately.